Can you bring a more specific example?
You can use an application filter to create a custom filter which is based on for example "all appid's which match subcategory:email" or "all appids which match characteristic:evavise" etc.
These are dynamic and are based on the classification made by PA in the app-db (for example if PA removes Zimbra from the subcategory email then Zimbra will not be allowed/denied by your security rule using this particular filter next time the app-db updates or an administrator commits the ruleset).
When you create an application group (compared to application filter) you select specific appid's to be put in your custom group.
For example creating an application group named "server-mgmt" which will include appids: ssh, snmp, snmp-trap, syslog, ntp and ping.
These are static (only the stuff you selected for your custom application group will be used) and will only change if an app-id change name or is completely removed (I think you will get an error during commit so you need to fix the application group who now points to an app-id which doesnt exists if that case would happen).
Edit: The above is just for the appid stuff. You can then also setup custom service groups which means which ports (TCP/UDP/ICMP + port number) you which to allow for your security rule.
If you use the custom application group "server-mgmt" as described earlier you can select "any" (which means all UDP/TCP ports will be open and flows will be killed once detected not belonging to any of the appid's selected for "server-mgmt" - in my opinion should be rarely used because you will expose the stuff you try to protect), service-default (based on the default ports which each appid claims to use) or custom (either specific UDP/TCP + port or by a custom service group in case you have a bunch of ports such as TCP22 + UDP161 + UDP162 + UDP514 + UDP123 + ICMP Echo-Request, ICMP Echo-Reply).
Also note that the "server-mgmt" is just an example. In real life I would limit it down even further. Like snmp traps is usually sent FROM a server and not TO a server (except for the server collecting the snmp traps) and so on.
The other option for you will be going and creating a service. By that i mean if u are interested in the ports 91,20,30. You can create a service (objects--->service) and create a new service that uses port 91 and you can do the same for the port20 and port 30. Group all these services into a service group. You can use this service group in the security policy. I hope this helps.
My problem is the following: I have an old check point rule that has "echo-request" and tcp-2463, that is some port used by an unknown application. I want to configure in PAN the same rule, but to do that without adding anything in the application database, I will need to create two rules, one for TCP-2463 (service) and one for PING (application). I want to have just one rule whare I can put PING and TCP-2463 together. I was thinking to create an application where I will specify the port tcp/2463 in the advanced tab. In my rule I will put this recently created application and ping in the app filed, and use "application-default" in the service field. My question is, if I do that, should I expect to have problems with the traffic, specially the one that uses TCP-2463? I made it work for unix traceroute (udp/33434-33534), but I wonder if any other unknown application will have problems if I try. I have hundreds of rules like this, and I want to economize in rules.
After you create the custom app for tcp/2463, you would also want to write an application override policy (Device>application override) as stated by rmonovon stating that any traffic traversing the zones which this traffic would traverse through the PAN over port tcp/2463->mark it as the custom app. That way you are forcing the PAN to bypass the App ID engine for tcp/2463 and explicitly telling it to identify this traffic as your custom app. However, please keep in mind that if you app override certain traffic, that traffic will also bypass the content scanning engine. Hence, if needed, you can submit an app request to Palo Alto for review too see if this is used widely enough, an app can be written.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!